While these apps have been advertised as providing cloud-based cryptocurrency mining, Lookout’s analysis has proven otherwise.
Lookout Threat Lab security researchers have identified more than 170 Android apps that have scammed more than 93,000 people and grossed $ 350,000 for users who purchased bogus upgrades and additional services. Of the 170, 25 were on Google Play, which have now been deleted by Google.
(Subscribe to our Today’s Cache newsletter for a quick rundown of the 5 best tech stories. Click here to subscribe for free.)
While these apps have been advertised as providing cloud-based cryptocurrency mining, Lookout’s analysis has proven otherwise. The researchers classified these applications as BitScam and CloudScam; both use a similar business model.
Lookout explained that unlike most malware that runs code that performs clearly malicious activity, the BitScam and CloudScam apps don’t do anything malicious. They just collect money for services that don’t exist, making them go unnoticed.
BitScam applications were created using a framework that does not require programming experience, and the majority of BitScam and CloudScam applications are chargeable. These apps offer a paid cryptocurrency mining service that allows users to pay through the in-app billing system of Google Play, Bitcoin, and Ethereum.
When a user logged in to the app, they were presented with an activity dashboard that displays the available hash extraction rate and the number of coins they have earned.
Read also: Cryptocurrency holders targeted by a new “intrusive” access tool
The displayed hash rate has been kept very low in order to encourage the user to purchase upgrades that promise faster mining rates. If cloud mining takes place, the displayed coin amount is stored in a secure cloud database and queried via an API. But these apps were showing a fictitious coin balance, not the number of coins mined.
Lookout pointed out that these apps were designed not to allow users to withdraw coins until a minimum balance is reached. And even when someone hit the minimum balance, they wouldn’t be able to withdraw because the app would display a message telling users that the withdrawal transaction is pending. Then it would reset the user’s coin balance amount to zero without transferring any money to the user.
Some apps frequently reset users’ coin balances to prevent them from reaching the minimum balance. The reset occurred when the mobile device restarts, a user has logged out, or the app has crashed.
Lookout advised users to get to know the developers behind the app and install it from an official app store before logging in. He urged users to read terms and conditions, other user reviews, and understand app permissions and activities.